What Is HealthVault? Things to Think About Before You Participate

HealthVault is Microsoft's new service for storing, managing, and accessing a patient's medical information. www.healthvault.com[1] It operates as an online encrypted service. The service offers a voluntary opportunity for medical records to be collected by aggregating information from various sources including health-care providers, insurance companies, and compatible medical devices (such as blood pressure monitoring devices).

Because medical records are among the most sensitive type of personal information, we at the Privacy Rights Clearinghouse have some concerns about this service.

The HIPAA Privacy Rule applies to three categories of "covered entities" -- health care providers, health plans, and health care clearinghouses. It is unclear at this time whether Microsoft will be considered a covered entity under HIPAA. Therefore, it is possible that consumers may not have any privacy rights under the HIPAA law if they utilize the HealthVault service.

Another privacy concern is Microsoft's ability to access and disclose personal medical information under specified circumstances. Microsoft's privacy policy states as follows:

Microsoft may access and/or disclose your personal information if we believe such action is necessary to: (a) comply with the law or legal process served on Microsoft; (b) protect and defend the rights or property of Microsoft (including the enforcement of our agreements); or (c) act in urgent circumstances to protect the personal safety and welfare of users of Microsoft services or members of the public.

Accordingly, if Microsoft were to be served with a subpoena as part of legal process, it could disclose a patient's personal medical information without being in violation of its privacy policy. This might happen as part of litigation involving any entity including an insurance company or any other plaintiff or defendant in a civil lawsuit. Similarly a government agency or law enforcement might issue an administrative subpoena or warrant for this information.

Finally, Microsoft can disclose a patient's medical information to protect its property rights or the welfare of HealthVault users. The standards set forth in its privacy policy would be subject to Microsoft's own interpretation.

At this time, few health care providers are participating in HealthVault, so its utility is somewhat limited. However, if Microsoft is successful in recruiting the majority of health care providers into HealthVault, its usefulness is significantly increased. The flip side of this is that HealthVault has the potential to become a de facto national medical record. And with that distinction, it has the potential to be abused and become the source of significant privacy violations.

For consumers interested in compiling a complete medical history, we recommend utilizing alternative methods of aggregating your medical records. For additional information, please see our Alert: "For a Complete Medical History, Compile Your Own Health Records but be Cautious about Storing Them Online" at www.privacyrights.org/ar/keepmedfile.htm[2]